FAQ-000380 - Code Removal and Vulnerability Persistence / Verification of Fixes

To satisfy security review requirements for functionality that's been removed and demonstrate complete elimination: **Documentation and Evidence:** 1. **Reflect Current State**: Ensure your submission accurately represents the current state of your solution 2. **Document Changes**: If the removed functionality was previously flagged for security issues, document the changes and provide evidence that it's no longer part of the solution 3. **Provide Evidence**: Share evidence of the removal, such as updated architecture diagrams, code snippets, or logs showing the absence of the functionality 4. **Explain Removal**: Provide documentation explaining the removal of the functionality and its impact on the solution **Technical Verification:** 1. **Remove the Functionality**: Ensure the problematic functionality is completely removed from the codebase and is no longer invoked or accessible 2. **Replace with Secure Alternatives**: If applicable, update the code to replace the removed functionality with secure alternatives 3. **Run Security Scans**: Use tools like the Salesforce Code Analyzer to confirm that no vulnerabilities related to the removed functionality remain 4. **Update Submission Materials**: Include updated security scan reports and other relevant materials to reflect the revised solution **Review Process:** 1. **Submit a False Positive Document**: If necessary, explain the changes and justify any flagged issues that are no longer relevant 2. **Include Supporting Documentation**: Add all relevant documentation to your security review submission to demonstrate compliance with Salesforce security guidelines 3. **Meet Remaining Requirements**: Ensure all other security review requirements are met for the remaining functionality in your solution These steps will help make the elimination of problematic functionality clear and verifiable during the review process and ensure compliance with Salesforce's security review process.

The FAQ content is well-structured and comprehensive, addressing the key aspects of demonstrating code removal and vulnerability fixes. The changes made are primarily stylistic improvements for clarity and consistency: 1. **Tone improvements**: Changed "problematic functionality has been fully eliminated" to "functionality that's been removed" for more conversational language, and "problematic functionality" to "problematic functionality" for consistency throughout the document. 2. **Clarity enhancements**: Minor wording refinements to improve readability without changing the substance of the advice. Regarding the selected security rules, each relates directly to common vulnerabilities that might require removal during AppExchange security review: - **ApexBadCrypto**: The FAQ discusses removing problematic functionality and replacing with secure alternatives - weak cryptographic implementations are commonly flagged issues that require complete removal and replacement with approved cryptographic methods. - **ApexCRUDViolation**: CRUD/FLS violations are frequently identified security issues that require code removal or modification. The FAQ's guidance on "Remove the Functionality" and "Replace with Secure Alternatives" directly applies to addressing CRUD violations. - **ApexSOQLInjection**: SOQL injection vulnerabilities often require complete removal of dynamic SOQL construction patterns. The FAQ's emphasis on providing evidence of removal and running security scans directly relates to demonstrating SOQL injection fixes. - **ApexSharingViolations**: Sharing rule violations frequently require architectural changes or code removal. The FAQ's guidance on documenting changes and providing evidence applies directly to demonstrating sharing violation remediation. - **ApexXSSFromEscapeFalse** and **ApexXSSFromURLParam**: XSS vulnerabilities often require removal of unsafe output patterns. The FAQ's guidance on complete removal and secure alternatives directly applies to XSS remediation. - **VfCsrf**: CSRF vulnerabilities may require removal of unsafe Visualforce patterns, making the FAQ's guidance on demonstrating complete elimination highly relevant. - **VfUnescapeEl**: Unescaped expression language issues often require removal of unsafe output methods, directly relating to the FAQ's guidance on functionality removal and verification.